Following is a small document for my operations and support team related to Packet Capture on Cisco ASA without using ACLs. I thought of sharing with you guys.
============================= Following are exec mode commands, that can be used by to capture data from an ASA firewall without using Access-list and with CONFIG mode. CAPTURE 1_inbound to firewall. capture SRV2_WEB_INBOUND interface outside buffer 5555550 match ip 10.104.206.40 255.255.255.255 170.138.131.136 255.255.255.255 SRV2_WEB_INBOUND= Capture name, can be any Outside= interface name, must be specific from where the SOURCE is entering the firewall. Could be inside, outside. Buffer=buffer size of the capture, 5555550 this is worth 5.5 Mega BYTES. It can be lower, but definitely not bigger because this capture is stored in the firewall which has limited space. Match= means what type of protocol, could be IP, UDP, TCP,ICMP etc. 10.104.206.40 = SOURCE address 70.38.130.136=DESTINATION Address. CAPTURE21_outbound/return from firewall. capture SRV2_WEB_RETURN interface SRV-prod buffer 5555550 match ip 170.138.131.136 255.255.255.255 10.104.206.40 255.255.255.255 For the return traffic, the only difference from Capture 1 is that interface is changed from outside to SRV-prod (which is DMZ). Also the source is 170.138.131.136 now, instead of the 10.104.206.40 as source…. The destination is 10.104.206.40 . How to view the capture on the firewall: Show capture CAP_NAME How to retrieve captures from the firewall to TFTP Copy /pcap capture: tftp: Source capture name []? CAP_NAME Address or name of remote host []? IP_ADD_OF_TFTP_SERVER(1.1.1.1) Destination filename [CAP_NAME]? CAP_NAME.pcap <<<<<<<<< don’t forget to add ‘.pcap’ in DESTINATION FILENAME else wire shark wont identify it. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Compeleted. FNK On Wed, Jun 27, 2012 at 2:21 PM, parvez ahmad <[email protected]>wrote: > Thanks Piotr/Eugene/Fawad, > > It was a issue with Netforensic tool installed on the syslog server.Due > to segregation of > duties we don't have access to the server. > > However, The output shows there is not issue at ASA. > > CCT-SJJPCPL07-FW01(config)# sh capture CAP > > > > 10 packets captured > > > > 1: 21:36:54.023771 10.150.24.1.514 > 10.8.4.121.514: udp 137 > > 2: 21:37:04.001220 10.150.24.1.514 > 10.150.200.81.514: udp 137 > > 3: 21:37:04.001251 10.150.24.1.514 > 10.8.4.121.514: udp 137 > > 4: 21:37:57.988794 10.150.24.1.514 > 10.8.4.121.514: udp 137 > > 5: 21:38:07.986765 10.150.24.1.514 > 10.150.200.81.514: udp 137 > > 6: 21:38:07.986811 10.150.24.1.514 > 10.8.4.121.514: udp 137 > > 7: 21:39:01.975657 10.150.24.1.514 > 10.8.4.121.514: udp 137 > > 8: 21:39:11.973384 10.150.24.1.514 > 10.150.200.81.514: udp 137 > > 9: 21:39:11.973414 10.150.24.1.514 > 10.8.4.121.514: udp 137 > > 10: 21:39:30.241976 10.150.24.1.514 > 10.8.4.121.514: udp 225 > > 10 packets shown > > > Thanks a lot to Piotr for this command. > > > Regards, > > Parvez > > > On Wed, Jun 27, 2012 at 1:13 AM, Eugene Pefti <[email protected]>wrote: > >> The ASA should send its logging to as many syslog servers as you >> configure. Is this a production environment? **** >> >> Most likely what Piotr said. By the way I didn’t know that you can see >> the locally generated traffic on ASA with captures.**** >> >> ** ** >> >> *From:* Piotr Matusiak [mailto:[email protected]] >> *Sent:* Tuesday, June 26, 2012 12:19 PM >> *To:* parvez ahmad; Eugene Pefti >> >> *Cc:* [email protected] >> *Subject:* Re: [OSL | CCIE_Security] ASA with two Syslog Server**** >> >> ** ** >> >> Seems like a routing issue or filtering somewhere in the middle. Anyway, >> you can capture that traffic on ASA.**** >> >> **** >> >> Try this (change your interfecae depending on where yout SYSLOG is):**** >> >> **** >> >> ciscoasa(config)# access-li SYSLOG per udp any eq 514 any eq 514**** >> >> ciscoasa(config)# capture TEST type raw-data interface inside access-list >> SYSLOG**** >> >> **** >> >> ciscoasa(config)# sh cap TEST**** >> >> 2 packets captured**** >> >> 1: 00:04:11.419060 10.1.1.10.514 > 10.1.1.1.514: udp 69**** >> >> 2: 00:04:11.456580 10.1.1.10.514 > 10.1.1.1.514: udp 107**** >> >> 2 packets shown**** >> >> **** >> >> Regards,**** >> >> Piotr**** >> >> **** >> >> **** >> >> *From:* parvez ahmad <[email protected]> **** >> >> *Sent:* Tuesday, June 26, 2012 8:35 PM**** >> >> *To:* Eugene Pefti <[email protected]> **** >> >> *Cc:* [email protected] **** >> >> *Subject:* Re: [OSL | CCIE_Security] ASA with two Syslog Server**** >> >> **** >> >> Hello,**** >> >> **** >> >> The number of messages increasing -- by checking sh logging commands *** >> * >> >> **** >> >> But one of the syslog server is not getting logs.**** >> >> **** >> >> How we can ensure that ASA is sending the syslogs to the both syslogs >> serves.**** >> >> **** >> >> Regards**** >> >> Parvez**** >> >> **** >> >> On Tue, Jun 26, 2012 at 1:46 PM, Eugene Pefti <[email protected]> >> wrote:**** >> >> See below number of messages in red**** >> >> If your ASA is configured correctly then they should increment**** >> >> **** >> >> 5510-ASA# sh logging**** >> >> Syslog logging: enabled**** >> >> Facility: 20**** >> >> Timestamp logging: enabled**** >> >> Standby logging: disabled**** >> >> Debug-trace logging: disabled**** >> >> Console logging: level errors, 5312 messages logged**** >> >> Monitor logging: disabled**** >> >> Buffer logging: level informational, 135581860 messages logged**** >> >> Trap logging: level warnings, facility 20, 69388 messages logged**** >> >> Logging to inside 192.168.14.4 errors: 1 dropped: 1**** >> >> Logging to inside 192.168.14.5 errors: 2535 dropped: 9164**** >> >> **** >> >> *From: *parvez ahmad <[email protected]> >> *Date: *Monday, June 25, 2012 11:19 PM >> *To: *"[email protected]" < >> [email protected]> >> *Subject: *[OSL | CCIE_Security] ASA with two Syslog Server**** >> >> **** >> >> Hello, **** >> >> **** >> >> We have configure ASA as per the below.**** >> >> **** >> >> Outside------ASA----Inside **** >> >> **** >> >> We have one more interface DMZ with Security 50 and have two syslog >> servers, one is inside and another in DMZ.**** >> >> **** >> >> I have configured ASA to send the syslog to these server.**** >> >> **** >> >> How i can check that ASA is sending syslog to these server at the UDP >> Port 514.**** >> >> **** >> >> Show snmp-server statistics is not that much helpful, I just wanted to >> know the other way to check it.**** >> >> **** >> >> **** >> >> Regards,**** >> >> Parvez **** >> >> **** >> >> **** >> >> **** >> ------------------------------ >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com**** >> > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
